Code Workshop & Review

Introduction

The Code Workshop & Review is intended to complement your internal software quality programs. It is a well defined process that analyzes a selected portion of your business application code for security problems. This process makes your networked based application more secure, and less vulnerable to determined intruder or hacking attacks. It has two distinct parts: a one-day on-site interactive review of the application design and implementation and an off-site hands-on analysis of a selected portion of code, the length of which depends on your individual need (from several days to several weeks).

Remarkably Efficient Process

SystemExperts�s Code Workshop & Review methodology minimizes the burden it places on your budget and resources: for example, we do not require our clients to prepare detailed documentation. Prior to the on-site Code Workshop, we will need a small amount of your time on the phone to answer a handful of basic questions about the code that will be analyzed.

Based on the answers to those questions, we assign staff with programming language specific skills to the project. We also assign staff familiar with overall application architectures, design models, and development practices. Creating effective and secure business applications is not just about the technical details of coding in C(++), Java(script), XML, or whatever language is being used, it is about ensuring that the primary business objectives are implemented and supported by the entire application environment.

In all likelihood, we will not audit your entire code base. There is usually is no need to go over each and every line of your code to understand the security vulnerabilities of the application. By understanding your application design, we will identify the security-critical set of modules or functions and put those under the microscope.

How We'll Work Together

We will not be auditing you. Rather, together through a series of highly interactive discussions, we will openly explore the strengths and weaknesses of your entire environment in the context of your business, functional, and regulatory requirements.

The Accelerated Security Assessment will take place over a one to three day period. In advance of the session, we'll provide you with a list of topics and we'll expect you to arrange for people knowledgeable about those topics to participate in the Assessment.

The sessions will be highly interactive, good natured, and mentally draining. What may surprise you to learn is that they are most often quite enjoyable. We'll bring a small team of consultants, typically three or four. We will choose them based on your particular technical needs (e.g., Widows, networking, databases, application infrastructure, PeopleSoft, ISO 17799 or Sarbanes Oxley compliance).

Where does the Code Workshop & Review fit into your process?

The typical business application is the result of a long and complex process: architecture, design, implementation, functional testing, quality assurance testing, production deployment, and maintenance. During the last ten years, we have seen the need for independent, unbiased code reviews increase significantly. The reason for this is that the time-to-market requirements in the fast paced Web world compress the development cycle. Security issues are often pushed to the side or expected to be remedied in later releases.

Most business application developers are primarily hired for their skills in design, implementation, and testing of specific programming languages � and not on writing secure code. Therefore, many of these applications have not been designed to withstand the security challenges faced by today�s business applications. SystemExperts has the specific skills to identify security problems in your application code and the programming expertise to recommend practical remedies.

How We Will Work Together

The Code Workshop & Review consists of two phases. Phase one is an on-site discussion of the application�s purpose and design. Phase two is an off-site review of the selected code.

How We Will Work Together

The Code Workshop & Review consists of two phases. Phase one is an on-site discussion of the application�s purpose and design. Phase two is an off-site review of the selected code.

Code Workshop (Phase 1)

It is important for people knowledgeable about your application environment and the details of the selected code to participate in the Code Workshop. The Code Workshop moves from a high level discussion of the business purpose of the application, to how the selected code actually works, to how it is constructed, and finally, an interactive walk-through of some of the code. This methodology allows us to put the code in proper business context.

The schedule is flexible, but we typically take the first part to walk through the business requirements and functional architecture. One or more of your people will informally present the application while our consultants ask questions. During the rest of the day, we will delve into the actual coding practices used to support the application and we will identify the exact code to be analyzed during the Code Review phase.

Code Review (Phase 2)

Following the Code Workshop phase, our team will spend an agreed upon amount of time off-site performing a manual inspection of the selected code. Depending upon the amount of code to be reviewed, this process generally lasts one to three weeks. During that review, we will look for common security problems and issues such as unvalidated parameters, broken access control, broken account and session management, inappropriate state management, buffer overflows, error handling problems, and insecure use of cryptography. These types of issues are often the reason why Web based applications are subverted, providing access to back-end systems and data, or enable intruders to masquerade as other users.

What You Will Get

SystemExperts documents the findings from the Code Workshop and the Code Review in a single well written report that includes our signature Straight Answers. These Straight Answers concisely address the important business questions that relate to the application (e.g., �Are the functions that were reviewed vulnerable to hacker or determined intruder exploitation?�).

The main body of the report consists of findings and recommendations. The Code Workshop generally raises a number of architectural, design, and deployment findings. The Code Review generally raises a number of code-specific problems and deficiencies in coding practices. The final section of the report summarizes and prioritizes our recommendations.

At the end of this efficient Code Workshop and Review project, you will know how to make your application code more secure which will reduce your risk of falling victim to an attack.